How to Transition from PA-DSS to PCI Software Security Framework

What is the PCI Software Security Framework and PCI Secure Software Standard?

Back in 2019, the PCI Security Standards Council replaced the PA-DSS program with the new PCI Software Security Framework (PCI SSF), allowing for a more flexible approach to validating payment applications and the software development process for these applications. After June 30, 2021, payment applications will not be accepted under the old PA-DSS program.

PCI SSF was re-designed from the ground-up to focus on two different aspects, which have been developed as two separate programs.

  • Secure Software Standards (S3): Focused on ensuring an application is protecting cardholder data effectively.
  • Secure Software Lifecycle Development (Secure SLC): Focused on ensuring secure development processes for an organization that is developing applications to undergo the S3 standard.

Both programs result in a listing on the PCI SSC website. S3 is currently applicable to the same applications that PA-DSS applied to, although this is subject to change as new modules are introduced in the S3 program. For more details on how this works, you can read in detail about navigating this new framework.

What is the timeline for transition?

The final day to submit any payment applications under the old PA-DSS (Payment Application Data Security Standard) is June 30, 2021. As of June 2021, here’s some statistics from the PCI SSC for Validated Payment Applications:

  • Total applications: 5,635
  • Listed before the PA-DSS version 3.x: 4811
  • Currently listed under 3.0, 3.1, and 3.2: 823

First published in January 2019, with the program available to vendors in early 2020, PCI SSF is just getting off the ground with these numbers of Validated Payment Software and Secure SLC-Qualified Software Vendors:

  • 2 Software listings under the Software Security Standard 1.0
  • 1 Vendor listed under the Secure SLC Standard 1.0

Understanding the impact of this transition

With the program in its nascency, there are hundreds of applications to potentially get listed in the next year, an unknown number of vendors to consider the Secure SLC validation, and lots of questions to be answered. Such as:

  • Will SSF be easier or more challenging than PA-DSS? Will this move be costlier?
  • What are the changes that will impact applications?
  • How can I list my frequent application changes with the Wildcards being removed from the program?
  • What value is there to get the optional Secure SLC listing as a vendor, or is it good enough to only put my software through the Software Security Standard?
  • Is it possible to leverage the effort and cost of SSF to have additional business value?
  • How can I manage the Secure SLC program in a way that provides value to my development team beyond just payment software development?

Moving forward successfully with PCI SSF

The PCI SSC designed the SSF with a focus on secure software development and a more flexible approach to the validation process.

This is good news but also leads to many challenges and questions other than what we listed above. If you have any questions, our whitepaper can help you to understand the new SSF program and address some challenges you might face with the new standard.

Regardless of this, or any other regulation, gaining control of your agile development cycles in a way that can accelerate your time to market and offer enhanced security is something that can offer you a competitive advantage.

About the Author

Dan Fritsche

Dan Fritsche, CISSP, is the Founder of Alpine Security Consulting. Dan’s specialty is in security innovation, wherein he helps companies turn security from a hurdle into a strategic investment. Dan started his career with a security-focused role at IBM, where he supported functions like penetration testing, vulnerability scanning, application security, and business intelligence across multiple units during his decade-long tenure. After IBM, he worked at Coalfire where he helped companies improve their posture in application security, encryption, tokenization, and many other security specialties. Dan went on to help Global Payments drive the value and involvement of innovative security approaches as early in the application development life cycles as possible. Dan has held several certifications such as PCI QSA, PA-QSA, P2PE QSA/PA-QSA for at least five to 10 years.

Follow on Linkedin Visit Website More Content by Dan Fritsche
Previous Article
Threat Modeling: An Essential Cornerstone of DevSecOps Culture
Threat Modeling: An Essential Cornerstone of DevSecOps Culture

Threat modeling as a proactive practice in software development can help prevent many data breaches. Let's ...

Next Article
Improving Cybersecurity: Impact of the U.S. Executive Order
Improving Cybersecurity: Impact of the U.S. Executive Order

Last month, the Biden administration signed an Executive Order to improve cybersecurity. One aim of the new...

Learn how you can use SD Elements to integrate security into software development.

Watch Video